Why mailscanner fails recognizing a forwarded infected.

Remco Barendse mailscanner at BARENDSE.TO
Mon Sep 6 11:26:40 IST 2004 

<x-flowed>
On Mon, 6 Sep 2004, Mirko Bovati wrote:

> On Monday 06 September 2004 11:44, you wrote:
>> On Mon, 6 Sep 2004, Mirko Bovati wrote:
>>> On Friday 03 September 2004 17:29, you wrote:
>>>> Mirko Bovati wrote:
>>>>> On Friday 03 September 2004 16:28, you wrote:
>>>>>> Mirko
>>>>>>
>>>>>> do these scanners recognise the virus is called from the command line
>>>>>> on the MS computer??
>>>>>
>>>>> hi Martin,
>>>>>
>>>>> The local antivirus who finds the virus is VisusScan 7.0 on a MS
>>>>> computer. VirusScan doesn't clean the email. I forward the infected
>>>>> email (and MailScanner say it is clean) and the recipient again find it
>>>>> is infected.
>>>>>
>>>>> But, on another way, if I after receiving the infected email, I save
>>>>> the attach (i.e. the virus) and I send a new email with the saved
>>>>> attach attached, the MailScanner find the virus.
>>>>>
>>>>> I don't know if I answered your question.
>>>>>
>>>>> mirko
>>>>
>>>> Mirko
>>>>
>>>> OK are you keeping archive copies of the mails? If so what happens if
>>>> you run the virus scanner on the infected message it misses - ie run the
>>>> virus outside of MS control, from the command line, on the infected
>>>> message.
>>>
>>> Running from command line on a linux box, uvscan misses the infected
>>> messages. the same happens df/qf pair.
>>>
>>> So it seems e mcafee problem.
>>
>> Did you read/follow the part about not using any symlinks anywhere for
>> mcafee? On some systems this causes mcafee to behave strange and not
>> detect virii that it does properly find from the command line
>
> I think yes:
> [mirko at harey /usr/local/uvscan]$ ls -l
> total 8448
> -rw-rw-rw-  1 root root  416862 Sep  1 06:32 clean.dat
> -r--r--r--  1 root root   12014 Sep  6 10:32 contact.txt
> -r--r--r--  1 root root  971875 Sep  6 10:32 e4320upg.pdf
> -rw-rw-rw-  1 root root     110 Sep  1 06:32 file_id.diz
> -rw-rw-rw-  1 root root   12124 Oct 15  1998 internet.dat
> lrwxrwxrwx  1 root root      15 Sep  6 10:32 liblnxfv.so -> ./liblnxfv.so.4
> -r-xr-xr-x  1 root root 2664512 Sep  6 10:32 liblnxfv.so.4
> -r--r--r--  1 root root    1056 Sep  6 10:32 license.dat
> -r--r--r--  1 root root    1809 Sep  6 10:32 license.txt
> -r--r--r--  1 root root   38154 Sep  6 10:32 messages.dat
> -rw-rw-rw-  1 root root  499211 Sep  1 06:32 names.dat
> -rw-rw-rw-  1 root root    1209 Sep  1 06:32 packing.lst
> -rw-rw-rw-  1 root root     708 Sep  1 06:32 pkgdesc.ini
> -rw-rw-rw-  1 root root   45921 Sep  1 06:32 readme.txt
> -rw-rw-rw-  1 root root   12169 Sep  1 06:32 reseller.txt
> -rw-rw-rw-  1 root root 3690590 Sep  1 06:32 scan.dat
> -r--r--r--  1 root root    5546 Sep  6 10:32 signlic.txt
> -r-xr-xr-x  1 root root    6302 Sep  6 10:32 uninstall-uvscan
> -r-xr-xr-x  1 root root  127699 Sep  6 10:32 uvscan
> -r--r--r--  1 root root   13422 Sep  6 10:32 uvscan.1
> -r-xr-xr-x  1 root root     402 Sep  6 10:32 uvscan_secure
> -rwxrwxrwx  1 root root   51200 Sep  1 06:32 validate.exe
>
> I think the test below says uvscan in working properly. Does it?
>
> [mirko at harey ~/tempo]$ ls
> Conclusioni.zip  dfi82C4rD20713  forwarded-email  qfi82C4rD20713
> [mirko at harey ~/tempo]$ uvscan --verbose /home/mirko/tempo
> Scanning /home/mirko/tempo/*
> Scanning file /home/mirko/tempo/dfi82C4rD20713
> Scanning file /home/mirko/tempo/qfi82C4rD20713
> Scanning file /home/mirko/tempo/Conclusioni.zip
> /home/mirko/tempo/Conclusioni.zip
>        Found the W32/Mabutu.a at MM!zip virus !!!
> Scanning file /home/mirko/tempo/forwarded-email
>
> Conclusioni.zip is the saved attachment.

Yes indeed, that is exactly the behaviour from mcafee i was seeing too.
When issued from the command line mcafee would properly detect the virus
but would declare it 'virus free' when scanned from MailScanner.

By the looks of it your mcafee directory is ok but this doesn't mean that
there aren't any symlinks to these binaries elswhere on the box.

I would check virus.scanners.conf to see from which location MailScanner
is invoking mcafee. Also I would check if there are any symlinks to the
dat files. If there are, replace the symlinks to the datfiles with
the real dat files and try scanning from MailScanner again.


>
> mirko
>
>> I used to have symlinks to my dat files and binary untill I got badly
>> bitten....
>>
>> I decided to ditch mcafee completely but that's another subject :)
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list